PQC ASIA FORUM IN SEOUL
November 28-29, 2016
Computational Problems in
Post-Quantum Cryptography
Tsuyoshi Takagi
Kyushu University, Japan
http://imi.kyushu-u.ac.jp/~takagi/
1
History of Public-Key Cryptography
Rabi Model
(1944)
1980
～ ｜
×～
Shor
Algorithm
1990
｜ ×
IBM’s NMR
Quantum Computer
2000
2010
｜×
｜ ×
Haroche-Wineland’s
Quantum Experiments
2020
2030
｜
|
RSA (integer factorization problem)
widely used
Elliptic Curve Cryptography (discrete logarithm problem)
These cryptosystems are no longer secure in the era of quantum computer.
Post-Quantum Cryptography (PQC)
(code-based, lattice-based, multivariate polynomial based, etc)
long-term security, efficient implementation,
fully homomorphic encryption, multi-linear maps
research phase
Trend in Post-Quantum Cryptography
• National Security Agency (NSA) announced preliminary plans for
transitioning to quantum resistant algorithms in August 2015.
https://www.nsa.gov/ia/programs/suiteb_cryptography/
• Recent Workshops
January 2015, DIMACS Workshop on The Mathematics of Post-Quantum Cryptography
http://dimacs.rutgers.edu/Workshops/Post-Quantum
April 2015, NIST Workshop on Cybersecurity in a Post-Quantum World
http://www.nist.gov/itl/csd/ct/post-quantum-crypto-workshop-2015.cfm
September 2015, Dagstuhl Seminar - Quantum Cryptanalysis
https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=15371
November 2015, ESTI Workshop on Quantum-safe Cryptography
February 2016, PQCrypto 2016: https://pqcrypto2016.jp/
• Big Research Projects
Post-quantum cryptography for long-term security: http://pqcrypto.eu.org/
CROSSING: https://www.crossing.tu-darmstadt.de/
JST CREST CryptoMath: https://cryptomath-crest.jp/
PQCrypto 2016
• More than 240 participants
(USA/Canada 70, Europe 60,
Asia 60, Japan 40, others 10)
• NIST announced preliminary plans for transitioning to
quantum resistant algorithms.
Security Evaluation Cycle
New Scheme
discussion in public conferences
Stress Test
Some weak class?
New attack
algorithm
Security Evaluation
How many bits are secure?
Cycle of
about 10 years
Expiring
key size
Practical Use
Computer speed-up
New cryptoanalyses
Cryptography Research and Evaluation
Committees in Japan
http://www.cryptrec.go.jp/
Example of RSA public key
Current record for factoring integers
• January 2010, 768 bits, 1500 CPU years, Aoki et al.
• 123018668453011775513049495838496272077285356959533479
219732245215172640050726365751874520219978646938995647
494277406384592519255732630345373154826850791702612214
291346167042921431160222124047927473779408066535141959
7459856902143413
=
334780716989568987860441698482126908177047949837137685
689124313889828837938780022876147116525317430877378144
67999489
×
367460436667995904282446337996279526322791581643430876
426760322838157396665112792333734171433968102700927987
36308917
Estimation for Key Length of RSA
RSA 2048 bits
RSA 1536 bits
RSA 1024 bits
K
Tianhe-2
Titan
Sequoia
RSA 768 bits
Computational cost for finishing the sieving step within one year (updated July 2015)
Candidates of Post-Quantum Cryptography
•
•
•
•
•
•
Hash-based signature schemes
Code-based cryptosystems
Multivariate cryptosystems
Lattice-based cryptosystems
Isogeny-based cryptosystems
etc
Multivariate Public-Key Cryptography
(MPKC)
Multivariate Quadratic polynomial
problem (MQ Problem)
An example: three variables and 3 equations over finite field GF(7)
f1 ( x1 , x2 )  2 x  5 x1 x2  x  3x1  5 x2  1
2
1
2
2
f 2 ( x1 , x2 )  6 x  4 x1 x2  2 x1  6 x2  2
2
1
f 3 ( x1 , x2 )  3x  6 x1 x2  6 x1  2 x2  3
2
1
We try to find a common solution of fi(x1,x2) = 0 for i=1,2,3.
MQ problem
MPKC are public key cryptosystems whose security depends on the difficulty in solving a
system of multivariate quadratic polynomials with coefficients in a finite field 𝐾.
MQ problem: find a solution of the system of multivariate equations:
f1 ( x1 ,..., xn ) 

aij(1) xi x j 

aij( 2 ) xi x j 
1i , j  n
f 2 ( x1 ,..., xn ) 
1i , j  n
(1)
(1)
b
x

c
 d1
i i
1i  n
( 2)
( 2)
b
x

c
 d2
i i
1i  n

f m ( x1 ,..., xn ) 

1i , j  n
aij( m ) xi x j 
(m)
(m)
b
x

c
 dm
i i
1i  n
It is believed that it is difficult to solve (general) MQ problem.
Gröbner basis attack
A fundamental tool for solving MQ problem is Gröbner basis. Faugère
proposed efficient algorithms as F4 and F5 to improve original algorithm[1][2].
Complexity for solving MQ problem[3]
O((m × (
n+dreg -1
dreg
w
)) )
where 2 < ω < 3, and dreg is an invariant determined by the multivariate
polynomial system.
Reference:
[1] Faugère, J.C., A New Efficient Algorithm for Computing Gröbner Bases (F4)", Journal of Pure and Applied
Algebra, vol. 139, 1999.
[2] Faugère, J.C., A New Efficient Algorithm for Computing Gröbner Bases (F5)", ISSAC, ACM press, 2002.
[3] Bettale, L., Faugère, J.C. and Perret L., Hybrid approach for solving multivariate systems over finite fields",
J. Math. Crypt. vol. 2, 2008.
Fukuoka MQ Challenge
Starting from April 2015
https://www.mqchallenge.org/
Simulated encryption scheme
• Simple matrix scheme (ABC scheme), ZHFE, …
• We choose parameters m=2n.
• To ensure the success of decryption, parameters n ≤ m are used
• m=2n is suggested by Simple matrix scheme.
d1,…,dn is chosen to
have a solution
2015/3/18
Simulated signature scheme
• UOV, Rainbow (multilayered UOV), …
• We choose parameters n~1.5m.
• suggested by Rainbow scheme.
• Due to the free variables, the complexity is equal to n=m.
We can assign random value to
free variables xm+1,…,x[1.5m]
2015/3/18
Base field
•
In MPKC scheme, finite field with small size are used.
• In order to get efficient arithmetic operation.
• Choose base field for the MQ problem
• Binary field : GF(2)
• The most typical field.
• More solvers can solve systems over binary field, ex, SAT solver.
• Binary extension field : GF(28)
• Binary extension field are used in many applications.
• GF(28) is the reasonable size for the cryptanalysis.
• Prime field : GF(31)
• Another typical field used in cryptography is prime field.
• GF(31) also had the reasonable size for the cryptanalysis.
2015/3/18
6 Types of Challenges
• m: # equations, n: # variables, q: base field GF(q)
Type
I
𝑚 = 2𝑛
𝐺𝐹(2)
Encryption
II
𝑚 = 2𝑛
𝐺𝐹 28
Encryption
III
𝑚 = 2𝑛
𝐺𝐹 31
Encryption
IV
𝑛 ≈ 1,5𝑚
𝐺𝐹(2)
Signature
V
𝑛 ≈ 1,5𝑚
𝐺𝐹 28
Signature
VI
𝑛 ≈ 1,5𝑚
𝐺𝐹 31
Signature
Current records
• Type I （𝑚 = 2𝑛, GF 2 ）
m
n
time
110
55
963.53
112
56
2254.21
114
57
5096.94
116
58
10391.10
118
59
18357.53
120
60
23536.88
122
61
80244.52
unit: second
Lattice-based Cryptography
A lattice 𝑳 is the set of all integer combinations
of 𝑛 linearly independent vectors 𝐛1 , … , 𝐛𝑛 ∈ℝ𝑚 .
As 𝐿 𝐛1 , … ,𝐛𝑛 = 𝑛𝑡=1 𝑥𝑡 𝐛𝑡 , 𝑥𝑡 ∈ ℤ .
𝐿
Shortest vector problem (SVP):
find the shortest vectors in the
lattice of given basis 𝐛1 , … ,𝐛𝑛 .
22
Algorithms for solving the SVP
(1) Lattice basis reduction (LLL/BKZ algorithm)
- polynomial-time (+ exponential-time exhaustive search)
(2) Enumeration (Extreme pruning [Gama-Nguyen-Regev 2010])
- time: 2O(𝑛2), space: polynomial size
(3) Sieving (Gauss sieve algorithm [Micciancio-Voulgaris 2010])
- time: heuristically 2O(𝑛), space: 2O(𝑛)
(4) Others
Darmstadt Lattice Challenge
https://www.latticechallenge.org/
• SVP Challenge / Lattice Challenge (since 2008)
• Ideal Lattice Challenge (since 2013)
• LWE Challenge (since 2016)
Darmstadt Ideal Lattice Challenge
At Eurocrypt 2016 we proposed an
efficient variant of BKZ algorithm
and its cost simulator.
224.0 sec
Target vector 𝐛 s.t. 𝐛 < n det1/n.
220.7 sec
Our simulator gives a sharp estimation.
25
LWE – Introduction
Learning With Errors problem:
s
b
=
∈ ℤ𝑚
𝑞
𝐀
+
∈ ℤ𝑚×𝑛
𝑞
e
mod 𝑞
∈ ℤ𝑚
𝑞 , 𝐷𝜎
 Searching LWE problem:
𝑚 ).
Input: an instance 𝐀, 𝐛 ≡ 𝐀𝐬 + 𝐞 (mod 𝑞) ∈ (ℤ𝑚×𝑛
,
ℤ
𝑞
𝑞
Output: secret vector 𝐬 ∈ ℤ𝑛𝑞 .
 Elements of 𝐀 and 𝐬: sampled uniformly random in ℤ𝑞 .
Error vector 𝐞: sampled from the Gaussian distribution 𝐷𝜎 in ℤ𝑞 .
26
Embedding Technique on LWE
Embedding technique [Kannan@1987]:
Reduce LWE problem to unique-SVP problem.
Input: an instance 𝐀, 𝐛 ≡ 𝐀𝐬 + 𝐞 (mod 𝑞) ∈ (ℤ𝑚×𝑛
, ℤ𝑚
𝑞
𝑞 ).
Output: secret vector 𝐬 ∈ ℤ𝑛𝑞 .
Step 1. construct basis 𝐁HNF of 𝐿1 = 𝐯 ∈ ℤ𝑚 𝐯 ≡ 𝐀𝐬 (mod 𝑞), 𝐬 ∈ ℤ𝑛 }.
𝑇
𝐁
′
Step 2. Rescale 𝐁𝐻𝑁𝐹 to 𝐁 = 𝐻𝑁𝐹 𝐛 as a basis of 𝐿2 to reduce
0
𝑀
BDD to unique-SVP.
Step 3. Process 𝐁 ′ using reduction algorithm to derive a short vector
𝐞
𝐮
𝐰=
= 𝐁′
𝑀
1
which satisfies 𝐰 ≤
𝐞 2 + 𝑀2 , here 𝐞 ≈ 𝑚 𝜎.
Step 4. Compute the error vector 𝐞 = 𝐛 − 𝐁𝐮;
and compute the secret vector 𝐬 in (𝐛 − 𝐞) = 𝐀𝐬.
27
𝛼 = 𝜎/𝑞
Experimental Results: TU Darmstadt LWE Challenge
(α, n) = (0.005, 70)
Embedding technique
+ Progressive BKZ
E5-2697 v2 @ 2.70GHz
32.73 single core hours
28
Conclusion
• The attack technology on cryptography is
developing further.
• We need to keep investigating the security of
post-quantum cryptosystems.
• Challenge problems are used for estimating the
computational over-limit of expected attackers.
PQC Asia Forum
• The First PQC Asia Forum, June 8-9, 2016,
Chenghu, China. http://cps.cqu.edu.cn/
• The Second PQC Asia Forum, Nov 28-29, 2016,
Seoul, Korea. http://www.pqcforum.org/
• The Third PQC Asia Forum, Japan
30